On 2017-02-28 at 19:47, Roman Serbski wrote:
We're planning to migrate to 2.1.0, and to introduce hardware HSM with
ZSKs still stored under SoftHSM and KSKs to be handled by the hardware
HSM (SafeNet).
(out of scope for your question, but anyway)
Why not store both KSK and ZSK in the HSM? They are of almost equal
value and a compromised ZSK can be used to sign anything, including
other ZSKs.
jakob
_______________________________________________
Opendnssec-user mailing list
[email protected]
https://lists.opendnssec.org/mailman/listinfo/opendnssec-user
